S3 Authorization Framework “Managing Access in Student Information System at Carnegie Mellon University” Parviz Dousti IT Consulting Engineer Computing Service Carnegie Mellon University Oct. 1 st 2012
Feb 22, 2016
S3 Authorization Framework“Managing Access in Student Information System at
Carnegie Mellon University”
Parviz Dousti
IT Consulting EngineerComputing Service
Carnegie Mellon University
Oct. 1st 2012
BackgroundStudent Services Suite (S3)
A Brownfield development of SIS Completely new Authorization
Had a Discovery Project to answer:Have a Central Authorization System?Use an Open Source Solution?Buy a Product?Write our own?
RequirementsModularized :Complete Independence from the
ApplicationConfigurable: i.e. not hard-codedFlexible and Powerful: Capable of Handling Complex
User Stories in SISTime based authorizations
e.g. add/drop periodQuantity/Amount based authorization
e.g. refundingRelation based authorization.
Department Admins Access to Students of a Certain Program Advisor – Advisee relation. Original Creator of a Memo
Framework Design GoalsPowerful (RBAC, ABAC, filtering)Encapsulated, isolatedReusableSimpleScalable, fast
High Level Architecture
Authorization Vocabulary Permission:
User/Group can do Action on a Resource [based on Qualifier(s)] Examples:
AcademicAdmins can Update /cmu/s3/admin/course_grades [if course belongs to their department]
Entities(Abstract)
Qualifier
User
Resource
Action Permission
Group
Entities(Implemented)
Qualifier (33)
User
Resource:Action (199)
Permission
Group (61)
Qualifier Values
S3 Authz Building blocks
Developer Business OwnerResourceQualifier
UsersGroupsQualifier ValuesPermissions
ResourcesIdentifier of any “thing” to be protectedAdheres to standard form:
<cmu namespace>:<system>:<resource type>:<resource>=<action>
For example:
urn:mace:cmu:edu:andrew:s3:admin:screen:students:grades=view
More on QualifiersFixed Attribute and custom QualifiersMay use user’s inherit attributes or affiliationsMay use existing authorization tables in SISCan be combined in a Boolean expressionNot all are meaningful for a permission
Custom QualifiersImplemented as simple Java classes
public class IsEnrolled implements Qualifier { public boolean isSatisfied(String userId, Map ctx) {
return dao.isEnrolled(ctx.get(“studentId”));}
}
Fixed-Attribute Qualifierspublic class StudentDeptAR implements AttributeRetriever {
public AttributeSet fetchAttributes(Map ctx) {Student student = dao.fetchStudent(
ctx.get(“studentId”);AttributeSet as = new AttributeSet(); as.setAttribute1(student.getDepartment());return as;
}}
API// APIpublic interface AuthorizationEngine {
boolean isAuthorized(String userId, String resource, Map<String, Object> context);
}
// Example callcontext.put(“studentId”, “northrop”);
authzEngine.isAuthorized(“dl2b”, “screen:student:grades=view”, context);
Evaluating Design GoalsPowerful (RBAC, ABAC, filtering)
Yes! groups + qualifiersEncapsulated, isolated
Yes! authz engine + resource + custom qualifiersReusable
Yes! qualifiers applied to any resourceSimple
Yes! must only “tag” resources + write qualifiersScalable, fast
Yes! optimizations for caching and aggregating calls
Some UI Screenshots
Authorization Console
Thanks To:
Darleen LaBarbera- VP for Campus Affairs, Carnegie Mellon University
Ben Northrop - Distinguished Technical Consultant, Summa
Questions?